"packaging and complicated signing" is routine for most installable web apps and browser extensions; see https://developer.mozilla.org/en-US/docs/Signing_a_XPI for instance. Developers who build those might actually want the process to be less complicated.
Given that the packaging spec lists installable web apps as a use case, it should probably define a signature format. -Yan On Thursday, January 29, 2015 7:12 PM, Michaela Merz <michaela.m...@hermetos.com> wrote: Pardon my french, but the whole idea is ridiculous. Web development is fluid and flexible. While I most certainly understand the idea and the need for secured loadable code (AFAIK I brought up this issue about 2 months ago), packaging and complicated signing is counter productive. What about external scripts like jquery? Do I really need to download a complete package because I fixed a stupid typo in one of the scripts? Maybe I am completely on the wrong track here (please correct me if I am) - but I think signed code should be handled completely different - thus preserving the flexibility of the LAMP/Script environment as we know it. Michaela On 01/30/2015 03:22 AM, Daniel Kahn Gillmor wrote: > On Thu 2015-01-29 20:14:59 -0500, Yan Zhu wrote: >> A signed manifest-like package description that lists the hash and >> location of every resource seems fine as long as all the resources are >> downloaded and verified before running the app. Perhaps this kills >> some of the performance benefits motivating packaging in the first >> place. :( > Why would you need to fetch all the pieces before running the app? > Consider a manifest includes an integrity check covering resources X, Y, > and Z, but X is the only bit of code that runs first, and Y and Z aren't > loaded. > > If you can validate the manifest, then you know you only run X if you've > verified the manifest and X's integrity. If the user triggers an action > that requires resource Y, then you fetch it but don't use it unless it > matches the integrity check. > > (i haven't developed webapps myself for ages, and the idea of a signed > webapp is relatively new to me, so feel free to explain any obvious part > that i'm missing) > > --dkg